Requirements

You are required to produce a video report that addresses the following two points:

1. Information Summary

You are required to concisely present the following information at the start of your video. No other introduction or summary is necessary.

a.    State all protocols that are seen in the capture higher than OSI layer 4.

b.   State how many packets contain a DNS query.

c.    State the two most common TCP port numbers used by packets in the capture, and  state how many packets use the most common port and how many packets use the second most common port.

(For example, if TCP port 789 is the source port of 2,000 packets and the destination port of 30,000 packets, this means port 789 is used by 32,000 packets.)

d.   State the IP address of the host where the capture was taken, as well as any other host IP addresses that you believe may belong to the same network. Very briefly, state any insights that might be inferred about these hosts that you feel is useful.

2. Wireshark Analysis & Recommendations

Must include:

a.    A verbal and visual explanation of what you think happened in the network. Identify the name of the malware if you can. Consider a timeline of the communications that took place, supported by evidence displayed in Wireshark.

b.    Identify any network-based indicators (also called Indicators of Compromise (IOC)) that you think are useful from a network security perspective to identify this attack again in the future.

c.    Using the network-based indicators identified above, and any other findings or        sources of information that you consider to be valid, recommend network security measures that you would apply to prevent or detect such an attack in the future.    Comment on any advantages or disadvantages of your proposals, including how effective you think they would be at prevention or detection of such an attack.

You must justify your findings with evidence, based on operations that you observe in the packet capture and show this clearly in your video:

•    Discuss and display specific individual packets, protocol information, headers, IP addresses, etc. (anything you think is relevant), with commentary about how the information supports your theories or conclusions about what happened in the   network.

•    In your discussion recommending security measures, justify your proposals by pointing to features in certain packets that you believe are useful to support   prevention and detection measures.

Guidance About the Capture File and Analysis

Some packets have been removed from the original capture to ensure minimal cyber security risks associated with the content of the capture. This will not affect or hinder your ability to analyse the capture.

Don’t visit any hosts or domains you find in the capture – this is not required for your investigation:

•   The hosts recorded in the file are not believed to pose a current security risk, however it is recommended that you do not visit any hosts or domains that you discover.

•   To avoid doing this accidentally, do not enter any IP addresses, domains, or URLs directly     into your browser’s address/search bar, otherwise your browser will likely go directly to the site. Use the search engine’s main page to carry out any searches instead.

Don’t attempt to extract code from this capture or anywhere else on the internet – this is not required for your investigation:

•    Packets have been deleted from the capture to remove accidental exposure to threats, however, do not go looking for code elsewhere to analyse.

•    You are required only to carry out an analysis of the network related features seen in this packet capture.

Guidance on Video Timing and Structure

You should aim for around 5 minutes, but you must not exceed 6 minutes. Any videos longer than 6 minutes will be awarded 0 marks for quality of presentation.

You may structure your video however you feel most effectively communicates your findings. However, the following approach is recommended:

Information Summary

•    Aim for around 1 minute.

•    Use a PowerPoint slide to present the required information with a focused discussion.

Wireshark Analysis & Recommendations

•    Aim for around 4 minutes.

•    Present your evidence using the Wireshark tool. Discuss your theories and justifications by stepping through any evidence you think supports your findings.

•    You may wish to intersperse your discussion with 1 or 2 brief PowerPoint slides or reference websites to add depth to key points that you want to emphasise

•    For example, you may wish to conclude with a slide to present key security          recommendations (but don’t waste time repeating the same information twice) .

•    Your primary aim should be to demonstrate effective practical skills in network security analysis and competent use of Wireshark, so most of your time must be spent working within Wireshark.

Regarding the presentation format and the audience, keep in mind the audience for your presentation is your manager at a Security Operations Center.

•    Present your video as if your manager is sitting with you at your desk for 5 minutes and would like a quick but accurate update on your work.

•   The presentation should appear professional and convey depth of detail, but be concise.